chore(ci): harden CI workflows

[AlemTuzlak]

Summary

Hardens GitHub Actions workflows against common CI/CD attack vectors by adding job timeouts, PR concurrency cancellation, and tightening an existing version pin comment. No behavioral changes — purely mechanical hardening.

Findings & fixes applied

• Job timeout-minutes: — added to 5 jobs across all workflows (autofix: 20, benchmarks: 30, pr/test: 30, pr/preview: 30, release: 45, zizmor: 10). Defends against stuck jobs consuming Actions minutes indefinitely.
• Concurrency cancel-in-progress: — added to benchmarks.yml with PR-only cancellation (cancel-in-progress: ${{ github.event_name == 'pull_request' }}). Push-to-main runs continue uninterrupted; redundant PR runs cancel.
• Action version comment — added # v1.3.2 annotation to autofix-ci/action@635ffb0c... (already SHA-pinned, comment was missing for readability).

State going in (already good — left untouched):

• All 3rd-party actions are 40-char SHA pinned across all workflows.
• Top-level least-privilege permissions: blocks present on every workflow.
• actions/checkout has persist-credentials: false everywhere except release.yml (which legitimately pushes back).
• PR-triggered autofix.yml and pr.yml already have concurrency cancel-in-progress.
• Release workflow concurrency uses cancel-in-progress: false (correct — never cancel mid-publish).
• No pull_request_target usage anywhere in the repo.
• Zizmor workflow already exists (commit 915f584) and was scoped correctly; only added timeout-minutes: 10 to match the template.

Findings deferred (need maintainer review)

None — this repo was already well-hardened. No pull_request_target patterns, no secrets.* exposure in run:, no script-injection vectors via github.event.* interpolation, no curl | sh patterns.

pnpm bump

n/a — already on pnpm@11.1.1 since commit 915f584 (#133). Repo's pnpm-workspace.yaml already uses pnpm 11 features (allowBuilds, packageExtensions, etc.) correctly. No migration needed.

Validation

• YAML parse: ✅ 5 files (autofix, benchmarks, pr, release, zizmor)
• actionlint: not available locally
• zizmor: not available locally (the repo's own zizmor workflow will run on this PR)
• pnpm install: not re-run — no manifest changes
• pnpm run build: not re-run — no source / dependency changes

What I did NOT change

• No changes to CI behavior (test commands, schedules, deploy targets, matrix configs, notification settings).
• No wholesale workflow rewrites.
• No auth flow changes.
• No .npmrc edits.
• No packageManager / pnpm-workspace.yaml edits — already at pnpm@11.1.1.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@tanstack/intent@135

commit: 7d33d36

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 16f84b8

Command	Status	Duration	Result
nx run-many --targets=build --exclude=examples/**	✅ Succeeded	<1s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-05-13 18:24:16 UTC